DHS misses deadline to submit cyber strategy to Congress

The Department of Homeland Security (DHS) has missed a deadline for submitting a new cybersecurity strategy to Congress, a department official acknowledged on Tuesday. 

The DHS was required by annual defense policy legislation passed in December to spell out a departmentwide cybersecurity strategy by last week. Rep. Cedric Richmond (D-La.) signaled at a hearing on Tuesday morning that members of a congressional panel with oversight of the DHS had yet to receive the strategy.

A DHS cybersecurity official acknowledged that the department had missed the March 23 deadline and could take months to complete the strategy with input from Trump administration officials.

“We are working on the cybersecurity strategy as required under the National Defense Authorization Act, recognizing that it was due last week,” Jeanette Manfra, acting deputy undersecretary for cybersecurity at the DHS’s National Protection and Programs Directorate, said in response to questioning from Richmond.

{mosads}“However, we do need time to ensure that the new administration has an opportunity to review and provide guidance on what that strategy should look like,” Manfra said. “We do anticipate that that will be over to you all soon and we look forward to working with you on implementing that strategy.” 

When pressed on the timeline, Manfra said that the department hopes to complete it within “months.”

“Our goal is to get it within the next couple of months, sir, but we need to ensure that our leadership and the new administration has a chance to review it and provide the guidance,” Manfra told the Democratic lawmaker. “We are working very hard on it, and this is something that we recognize as critical to our success and the next evolution for DHS cybersecurity.”

Manfra was questioned extensively on the DHS’s cyber efforts by members of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection. Lawmakers emphasized the need for the DHS to improve methods of protecting federal networks and boost information-sharing efforts with the private sector on cybersecurity threats. 

The fiscal 2017 National Defense Authorization Act (NDAA) passed in December directed the secretary of Homeland Security — a post now held by John Kelly in President Trump’s Cabinet — to develop a departmental cybersecurity strategy and submit it to Congress no later than 90 days after the enactment of the law.

The strategy is required to spell out the DHS’s “strategic and operational goals and priorities” for cybersecurity and include information on cybersecurity programs, policies and activities, drawing on past cyber strategies.

Kelly is also directed to develop an implementation plan for the new strategy.

The Trump administration has signaled that it will make safeguarding federal networks a cybersecurity priority. The proposed fiscal 2018 budget released by the White House earlier this month allocates $1.5 billion to the DHS for protecting federal networks and critical infrastructure from cyber threats.

Trump is also expected to sign an executive order on cybersecurity, though it has been delayed since late January.